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Abstract — People have been studying the following prob- 
lem: Given a finite set S with a hidden (black box) binary 
operation *:SxS^S which might come from a group 
law, and suppose you have access to an oracle that you 
can ask for the operation x * y of single pairs (x, y) e S 2 
you choose. What is the minimal number of queries to the 
oracle until the whole binary operation is recovered, i.e. 
you know x * y for all x,y E S? 

This problem can trivially be solved by using |5| 2 
queries to the oracle, so the question arises under which 
circumstances you can succeed with a significantly smaller 
number of queries. 

In this presentation we give a lower bound on the 
number of queries needed for general binary operations. 
On the other hand, we present algorithms solving this 
problem by using |5| queries, provided that * is an abelian 
group operation. We also investigate black box rings and 
give lower and upper bounds for the number of queries 
needed to solve product recovering in this case. 



I. Introduction 

There is a considerable literature on algebraic objects 
whose operations are described by a 'black box'. There 
are different motivations for studying such objects. 

In computational group theory, black box groups be- 
came an important and frequently used tool. They were 
introduced by Babai and Szemeredi [BS84] in order 
to study algorithms for matrix groups. In a black box 
group elements are encoded as (not necessarily unique) 
bitstrings and there are oracles (the black box) providing 
multiplication and inversion of the encoded group ele- 
ments as well as recognition of the identity element — 
but often the isomorphy class and even the order of the 
underlying group is unknown. The research is ongoing 
and a collection of some algorithms for black box groups 
can be found in Seress' monograph [Ser03, Ch. 2]. 
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One major question in black box group research is the 
recognition problem which asks whether a given black 
box group is isomorphic to a fixed finite group like S n or 
SL n (F q ) and possibly to provide an explicit description 
of such an isomorphism, see e.g. [BLGN+03], [BP00], 
[KS01]. The constructive recognition problem in the case 
of abelian groups has been investigated by Buchmann, 
Jacobson, Schmidt and Teske [BJT97], [BS05]. 

Also in cryptography the use of black box groups 
and fields proved themselves useful when analyzing 
the hardness of the discrete logarithm problem, e.g. 
Shoup obtained this way lower bounds for generic al- 
gorithms [Sho97]. Black box fields of prime order were 
used by Boneh and Lipton [BL96] when studying the 
discrete logarithm problem in a presence of a Difhe- 
Hellman oracle. Note that the isomorphy class of the 
underlying objects are known in these cases. 

The basic question we are interested in this paper 
is, given a black box group or black box ring, how 
many calls to the oracle are necessary to recover the 
whole operation tables. To illustrate the importance of 
this question we mention its relevance for estimating the 
information content of an algebraic operation table and 
for designing practical compression algorithms for these 
tables. Furthermore, a black box object might be a crucial 
device in a symmetric cryptosystem and one wishes to 
analyze the cost to describe this black box completely. 

We shall be interested in the problem of recovering the 
hidden operation by using a minimal number of queries 
to the oracle. In algorithm analysis we neglect here the 
remaining computational costs, i.e. we assume unlimited 
computational and storage power but limited access to 
the oracle. 

When investigating the product recovering problem it 
is natural to assume unique encoding of group elements, 
since for the black box operation to depend only on the 
underlying group and not on some encoding arbitrariness 
this is necessary. However we include some remarks 



and comments concerning the general case of nonunique 
encoding. 

The organization of this paper is as follows. In Sec- 
tion |II1 which forms the main part, we consider the case 
of one binary black box operation. After a formalization 
of the problem we are able to prove lower bounds for 
the general case in Subsection III-BI and for some special 
cases in Subsection III-CI Afterwards we present some 
upper bounds and give the corresponding algorithms for 
the case of abelian groups in Subsection III-DI Here the 
lower and upper bounds are quite close together. 

Finally in Section [III] we consider algebraic structures 
with two binary operations. We deal with the situation 
where we have a ring with known addition but unknown 
multiplication. 

II. One binary operation 

We define a black box with one binary operation in 
the most general way: 

Defintion 1: A black box groupoid is a given finite set 
S together with a binary operation *:SxS->S which 
is accessible by an oracle. The oracle can be asked for 
the multiplication x * y of single pairs (x,y) G S 2 . 

The set S can be thought of as a set of bitstrings and 
the binary operation * is the black box we only have 
limited access to. 

Given a black box groupoid, we are interested in the 
problem of recovering the hidden operation * by using a 
minimal number of queries to the oracle. We also assume 
that some information on the operation * is available, i.e. 
a set X of possible binary operations * : S x S — > S 
is given. For example, if we know that * is a group 
operation, then 

^Groups = {* : S x S -> S I (S, *) is a group}. 

Another example is the situation where we know that 
(S,*) is isomorphic to a particular groupoid (G, •). In 
this case 

X G = {* : S x S -» S | there is 

an isomorphism / : (S, *) — ► (G, •)}. 

Algorithms solving the product recovering problem 
must specify the appropriate set X. 

Remark 2: When only the existence of an epimor- 
phism / : (S, *) — ► (G, •) is known, then we may have 
nonunique encoding of group(oid) elements. This is usu- 
ally the case in black box group literature, where there 
is also an oracle for testing whether f(x) = 1 holds. 
However, in general we cannot exploit the algebraic 
structure of G to recover exactly *. Instead we can hope 
to find a subset SCS such that : S — > G is bijective 
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Fig. 1. A query-algorithm for a totally ordered set {a, b, c} 

and to find * : S x S ^ S such that f(a * b) = f(a*b) 
for all a, b G S. 

A. Query -algorithms 

We model query-algorithms as certain labeled trees 
with the nodes corresponding to queries to the oracle 
and the edges corresponding to its possible answers: 

Defintion 3: A query-algorithm with respect to a set 
X of binary operations * : S x S — ► S on a set S is a 
rooted tree T with labels such that 

• any node v of T which is not a leaf is labeled with 
'x*y' where x,y G S (to be thought of as a query), 
leaves are unlabeled, 

• the branches to the children of v are labeled with V 
with elements z G S (to be thought of as possible 
answers), such that different branches have different 
labels. 

Furthermore we require completeness of answers in 
the following sense. For every possible binary operation 

* G X there exists a corresponding path (urj, . . . , i>fc) 
from the root vq to a leaf Vk such that if vi is labeled 
with 'xj * yi then the branch (vi,Vi + \) is labeled with 
'zi where Zj = X{ * yi, for < i < k. 

The leaf L(*) =: is then uniquely determined by 
this property, so that there is a well-defined map 

L : X -> {leaves of T}. 

The query-algorithm T is said to solve product- 
recovering if this map L is bijective, i.e. there is a one- 
one correspondence between the leaves of T and the 
operations * G X. 

Example 4: Let X be the set of all binary operations 

* on a three-element-set S = {a, b, c} such that (S, *) 
is isomorphic to the semigroup ({0, 1, 2}, max). Thus, 
there is an unknown total ordering of the elements of S, 
and the problem of product-recovering is equivalent to 
find back this ordering. 

A query-algorithm solving product-recovering is 
shown in Fig. Q] Every leaf v is labeled with the ordering 
which corresponds to the binary operation *„ = L~ l (v). 
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Example 5: Let (G, •) = (Z4, +) be the cyclic group 
of order 4 and let 5 = {a, b, c, d}. Fig. |2] shows a query- 
algorithm T solving product-recovering for this group, 
i.e. with respect to Xq. 

The leaves v are labeled with a shortened presentation 
of the binary operation * v = L -1 (i>). Note that the 
elements 1 and 3 of Z4 are exchangeable, so we do not 
have to specify their corresponding elements in 5. 

Since T has 12 leaves we have \Xq\ = 12 = Au ^z 4 )| ' 
which also follows from Lemma [7] below. 



B. Lower bounds 

The next lemma establishes a general lower bound. 

Lemma 6: Let T be any query-algorithm which solves 
product-recovering with respect to a set of X of binary 
operations on a set S, and let N be its number of queries 
to the oracle. Assuming a uniform distribution on X we 
have for the expectation 

E(N) >log lsl \X\. 

(We say T needs at least logigi \X\ queries on average.) 

Proof: E(N) is the average height of all leaves of 
the tree T. Now any node of T has at most \S\ children 
and T has exactly \X\ leaves. This yields the result. ■ 
Lemma 7: For any groupoid (G, •) with \G\ = n we 
have 

71) 

'* G| = |A^)J ■ 
Proof: Without loss of generality we may assume 

that S = G as sets. 

Consider the set X of all binary operations * : G x 

G — > G and the group action 

Sym{G) xI^X, (cp, *) ^ 

where *^ is defined by x * v y = t^ _1 (<^(a;) * <p{y)) for 
all x,y e G, so that <p : (G, * v ) — ► (G, *) is a groupoid 
isomorphism. 

Now under this group action, the operation • G X, 
coming from the known groupoid (G, •), has exactly 
Xq as orbit and Aut(G, •) as stabilizer group. Thus the 
lemma follows from the orbit-stabilizer theorem. ■ 



Now if Gi,...,G m are pairwise non-isomorphic 
groupoids (e.g. the family of all abelian groups of a 
given size), then the Xq % are pairwise disjoint. Let 
X := X Gl U-- ■ UX Gm , then 



\X\ 
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Aut(Gi 



C. Special cases 

1) max-semigroups: Assume that (5,*) is isomor- 
phic to the semigroup (G, •) = ({0, 1, . . . , n — 1}, max) 
(see Example [4] for the case n = 3). 

Corollary 8: Any query-algorithm which solves 
product-recovering with respect to Xq needs at least 

log 2 n 



log 2 (n!) > n log 2 n 



n 



+ 



In 2 ' 2 
queries to the oracle on average. 

Proof: Since | Aut(G, -)| = 1 we have \X G \ = 
n\ by Lemma |7] Now in this semigroup any node of a 
query-algorithm has at most 2 children, so by the same 
argument given in the proof of Lemma [6] we see that 
at least log 2 (n!) queries on average are needed. Finally 
the stated inequality is a consequence of n! > (^) ^Jn, 
coming from Stirling's formula. ■ 
Note that solving product-recovering reduces to the 
well-studied problem of sorting an ra-element set, where 
the queries to the oracle correspond to comparisons 
of elements. There are several sorting algorithms (e.g. 
merge sort) which use O(nlnn) comparisons in the 
worst case. 

2) Abelian groups: Now assume that (S, *) = (G, ■) 
is an abelian group with n elements (see Example [5]). 

Corollary 9: Suppose that (G, •) is generated by r 
elements. Any query-algorithm which solves product- 
recovering with respect to Xq needs at least 



n 



n 1 
Inn 2 



queries to the oracle on average. 

Proof: Note that any endomorphism of G is 
determined by its image on its r generators. Hence 
|Aut(G)| < |End(G)| < n r . On the other hand we 
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have n\ > (^"y'n from Stirling's formula, so that 
log n (n!) > n — + i. Now the result follows from 
Lemma [6] and Lemma [7] ■ 
Note that any abelian group of size n can be generated 
by at most log 2 n elements, so that one can achieve r < 
log 2 n in general. Of course, if (G, •) is cyclic, one can 
set r = 1. 

D. Upper bounds for abelian groups 

We give an upper bound for the worst-case number of 
queries needed to solve product-recovering in the case of 
abelian groups and present the corresponding algorithm 
in the proof. 

Proposition 10: Let S be a set of size n and 

^Ab = {* : S x S —> S | (S, *) is an abelian group}. 

Then there is a query-algorithm which solves product- 
recovering with respect to %Ab using at most n queries 
to the oracle for any * G X. 

Proof: We write the query-algorithm as a list of 
instructions rather than as a tree, because this represen- 
tation is more compact and readable. The algorithm is 
based on two basic subroutines. 

1) Start by choosing some a = a\ G 5 and apply the 
following algorithm. 

Repeat computing ctfe+i = a k *a for k = 1, 2, 3, . . . 
until a k +i = a. 

After execution, k is the order ord(a) of a, and k 
queries to the oracle have been made. We further know 
that ao := a k is the identity element. Also, we deduce 
that a, * aj = a i+j mod fc for < i,j < k. 

Hence if S a = {do, Oi, . . . , ctfc-i} is the subgroup 
generated by a, then * is known on S a x S a . 

2) If S a 7^ S choose some b = b\ G S \ S a and apply 
the following algorithm. 

Repeat computing b k = b^-i * b for k = 2, 3, 4, . . . 
until b k G S a . 

For all s G S a \ {0} and < i < k compute s * b l . 

After execution we know s * b % for all s G S a and all 
< i < k. Then for any s,t 6 5 a and < i, j < k we 
have by commutativity 

t u\ u u\ / ( s * *) * hi +i if i + j <k, 

(s * bi) *(t* bj) = < 

{(s*t*b k )* b i+j _ k if i + j > k. 

This element is known, since we knew already * on S a x 
S a - It follows that * is known on Sab X S'at where S a b 
is the subgroup generated by S a and 6. 



Let m = \S a \- The number of queries to the oracle 
needed by the algorithm is 

k — 1 + (m — l)(fc — 1) = m(/c — 1) = mk — m. 

Now mk = \S a b\, so that \S a b\ — \S a \ queries to the 
oracle have been used. 

3) If S a b 7^ S choose some c G S \ S a b and repeat 2) 
with S a replaced by S ao and b replaced by c. After that 
* is known on S a bc x S a bc, the subgroup generated by 
S a b and c, and \S a b c \ — \S a b\ queries to the oracle have 
been used, etc. 

Writing Si, S 2 , S 3 ,... for S a , S a b, S a bc, ... we finally 
reach r such that S r = S. Then we have recovered the 
whole operation * on S x S and we have used 

|Si|+(|S 2 |-|S 1 |)+- • -+(|5 r |-|5 r _i|) = \S r \ = \S\=n 

queries to the oracle in total. ■ 
Example 11: Consider a black box group (<S, *) of 
size 11. Then we know that S is isomorphic to the 
cyclic group and |Aut(£, *)| = 10. By Lemma [6] and 
Lemma[7]we conclude that an algorithm solving product- 
recovering needs at least [log 11 3991680] = 7 queries to 
the oracle in the worst case. 

Proposition [10] ensures the existence of an algorithm 
which needs 11 oracle-queries. In fact it is not hard to 
see that in the case of groups of prime order the last two 
queries in the above algorithm can be omitted, yielding 
an algorithm which uses 9 queries to the oracle. 

Now a computer search among all possible product re- 
covering algorithms has shown that the minimal number 
of oracle-queries an algorithm needs in the worst-case 
is 8. Such an algorithm can be outlined as follows: 

1) choose some a G S and compute a sq = a * a 

2) if a sq ^ a let ai = a and a 2 = a sq , otherwise let 
e = a, choose some ai ^ a and compute a 2 = a*a 

3) compute 03 = a 2 * ai, = 03 * 01, 05 = 04 * ai 
and 07 = 05 * a 2 

4) if a sq 7^ a compute e = 07 * 04 

5) choose three different elements b, c, d from the 
four-element-set 5 \ {e, ai, a 2 , 03, 04, 05, 07} and 
compute b * c and fo * d 

Remark 12: When we have nonunique encoding of 
group elements a variant of the above algorithm will 
solve product-recovering provided we are given a gen- 
erating set and an oracle for recognizing the identity. 
However, to check whether b k lies in S a (as in the second 
subroutine) may be a costly operation. 

III. TWO BINARY OPERATIONS 

Suppose we are given a finite set S with two hidden 
binary operations + and *, accessible via an oracle. If we 
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for all oi,c£ S. 



know that (S, +,*) is a ring, then (S, +) is an abelian 
group, so we can use Proposition [10] to recover the 
addition table. We now have a ring with known addition, 
but unknown multiplication. This section deals with that 
situation. 

Defintion 13: A black box groupoid with given addi- 
tion is a black box groupoid (S, *) such that there is a 
known binary operation + : S x S — > S on S, and the 
following distributive laws hold on S with respect to + 
and *, i.e. 

a * {b + c) = (a * b) + (a * c) 
(a + b) * c = (a * c) + (b * c) 

In this case, all binary operations * G X in question 
will satisfy the distributive laws above. Suppose, for 
example, we know that (5,+,*) is isomorphic to some 
known ring (R, + , •)• Then the set of possible operations 
we are dealing with is 

Xr '■= {* '■ S x S — > S | there is an 

isomorphism ip : (S, +, *) — > (R, +, •)}. 

Its size is given in the next result. 
Lemma 14: For any ring (R, +, •) we have 

= |Aut(fl,+)| 
1 Rl | Aut(i?, +,-)!' 
where Aut(i?, +) are the additive group automorphisms 
and Aut(i?, +, •) are the ring automorphisms. 

Proof: The arguments are the same as in the proof 
of Lemma [7] We identify 5 = R as sets and consider the 
action of Aut(i2, +) on the set X of all binary operations 
* : R x R — > R. Then Xr is exactly the orbit of • G X 
and Aut(i2, +, •) is its stabilizer group. ■ 
Now we specialize to the case when (S, +, *) = 
(Fq, + , •) is a field of size q = p r with p prime. 

Corollary 15: Any query-algorithm which solves 
product-recovering for a field of size q = p r with known 
addition needs at least 

r ~ log g (4r) 

queries to the oracle on average. 

Proof: The automorphisms Aut(F 9 , +) are exactly 
the vector space automorphisms of the F p -vector space 
(F p ) r , so that 



Aut(F„+)| 



(q - l){q-p) ■■■(q 

1\ ( . 1 

2 



1 



P 



1 



p- 



1 



P 

<2' 



where(l-i)---(l-i)> n(l-^)> n(|) 

i>l i>0 

On the other hand, | Aut(F„ + , - )| = I Aut(F p ,/F p ) 
r, by basic Galois theory. Hence 



[F p . : F p ] 



|Aut(F g ,+)| <f_ 
Aut(F„+,-)| " 4r 



and the result follows from Lemma [6] and Lemma [T4l ■ 
We now give an upper bound for the number of queries 
needed to solve product-recovering for rings (S, +, *) of 
size \S\ = n with given addition. For this it suffices to 
ask the oracle for all products a*b of elements a, b E A, 
where A is a generating set for the abelian group (5, +). 
Then if x, y G S, we can write x = a± + • • • + and 
y = b\ + ■ ■ ■ + bi with aj, bj G A for all i, j, and thus 

k I 

x*y = (oH \-a k )*(bi-\ ybj) = y^y^«i*fej; 

i=l j=l 

now, since all a-i*bj are known and the addition is known, 
we also know x * y. 

Because (S, +) can be generated by at most log 2 n 
elements, we thus have (log 2 n) 2 as an upper bound. 
Together with Proposition [TOl this proves: 

Proposition 16: If (5,+,*) is a ring of size n, 
then there is a query-algorithm which solves product- 
recovering for both operations + and * with at most 

n+ (log 2 n) 2 

queries to the oracle in the worst case. 
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